Solved.
Kudos0

None of the three "Exclusions" options work

I am attempting to install an update to a program from an open source project.  It's an application with a very limited application and the project releases frequent updates, so I understood when Norton 360 triggered on a number of files on expansion -- at least dozens -- and quarantined them all as fitting the WS.Reputation.1 "Threat".  To my understanding, this threat means that not enough users have used the file for your systems to have "blessed" it. However, I need the program to work. and I accept the risk. There were too many files to go through and restore them all. 

I did research on this forum, and was linked to this page, which says that the way to whitelist this risk is to add it under "Signatures to Exclude from All Detections".   I did so, and attempted to extract the package again, and immediately the same files were quarantined again, with the same message, under the same threat.  I double-checked that the threat is still on the list of signature exclusions.

In some desperation, I tried also adding the destination directory to both "Items to Exclude from Scans"  and "Items to Exclude from Auto-Protect, Script Control, Behavioral Protection, and Download Intelligence Detection" -- checking the box each time to include all subdirectories -- and tried extracting again, to exactly the same behavior: immediate quarantine of the same files.

Is this whitelisting supposed to work?  Do I need to disable Norton 360 entirely to install, and hope my files aren't deleted once again when it restarts?

Further details:

I am running Norton 360, which actually updated in between attempts, so I know it's up to date. The operating system is Windows 10 Enterprise LTSC version 1809. 

A sample of the activity reports:

Filename: Unity.Mathematics.dll
Threat name: WS.Reputation.1Full Path: D:\Program Files\VSeeFace\VSeeFace_Data\Managed\Unity.Mathematics.dll

____________________________

____________________________


On computers as of 
2022-10-22 at 02:53:07

Last Used 
2022-10-22 at 02:55:08

Startup Item 
No
Launched 
No
Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe


____________________________


Unity.Mathematics.dllThreat name: WS.Reputation.1
Locate


Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

Medium
This file risk is medium.


____________________________


Source: External Media

Source File: 
Unity.Mathematics.dll

____________________________

File Actions

File: D:\Program Files\VSeeFace\VSeeFace_Data\Managed\Unity.Mathematics.dllRemoved

____________________________


File Thumbprint - SHA:
f915223194ca0fa7376404bb243cd03a34f35a4574e2cf4637f8daa0b5d7bbc8
File Thumbprint - MD5:
1e7ad59cb63c38fef516ad91130348be
 

Replies

Accepted Solution
Kudos2 Stats

Re: None of the three "Exclusions" options work

You might be able to use the same process we recommend for a developer, who's files change all the time.

The suggestion I would make is to find the apps files in Program Files or Program Files (x86) Then exclude that folder and all sub folders from Both items in the image below. You can create an Update folder withing that excluded folder. When you get an update, before applying it, move the update file into the that update folder and run it from there. 

I would also reverse the signature exclusion you made earlier, to ensure protection for the rest of your system.


 

Kudos0

Re: None of the three "Exclusions" options work

Since, you provided needed info [here] and file is found with VirusTotal [here]. 
I submitted False Positive report.

Your submission was successful
Submission ID is: 8f9bb374-7d41-4a48-8cff-79caed6cf10d
Please store this for future reference.
//check submission status

 https://submit.norton.com/?type=CHECK&submission_id=8f9bb374-7d41-4a48-8cff-79caed6cf10d

------------------

I imagine if the .dll file were seen a few more times by Norton.  The WS.Reputation.1 will resolve.  $0.02

----------------

Report a suspected incorrect detection to NortonLifeLock
https://support.norton.com/sp/en/us/home/current/solutions/v126152382

Submit a file to NortonLifeLock
https://support.norton.com/sp/en/ie/home/current/solutions/kb20090602171902EN

Respond to incorrect Norton alerts that a file is infected or a program or website is suspicious
https://support.norton.com/sp/en/us/home/current/solutions/kb20100222230832E

Kudos0

Re: None of the three "Exclusions" options work

Okay. Following peterweb's instructions on moving the compressed file to the directory did work -- or at least, the particular files are no longer being flagged; I suppose the reputation system might have caught up instead.  I guess we'll see if this continues to work going forward.

If this keeps working, I guess the mechanism for Norton 360 ignoring the directory-level whitelist was that it was spotting the extraction in progress and quarantining from the files' temporary location, and then reporting that the files were quarantined instead from their destination.  That's understandable, if awkward and counterintuitive, but I'm not sure there's a good reason that it was completely ignoring the threat-level whitelist.

 (I had previously used the "Items to Exclude from Scans" setting to block similar quarantines when I'd compiled my own programs before, and I guess the compiler wasn't creating any of its new files in non-whitelisted areas.)

Thank you for your help.

Kudos0

Re: None of the three "Exclusions" options work

Posted: 22-Oct-2022 
bjm_:

Since, you provided needed info [here] and file is found with VirusTotal [here]. 
I submitted False Positive report.

Your submission was successful
Submission ID is: 8f9bb374-7d41-4a48-8cff-79caed6cf10d
Please store this for future reference.
//check submission status

 https://submit.norton.com/?type=CHECK&submission_id=8f9bb374-7d41-4a48-8cff-79caed6cf10d

------------------

~ my submission is still being processed

This thread is closed from further comment. Please visit the forum to start a new thread.